Jetty
  1. Jetty
  2. JETTY-86

needClientAuth and wantClientAuth code is flawed

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0beta17
    • Fix Version/s: 6.0.0rc1, 6.0.0
    • Component/s: Security and SSL
    • Labels:
      None
    • Environment:
      JDK 1.4
    • Number of attachments :
      0

      Description

      The code that handles needClientAuth and wantClientAuth is flawed. First some education. An SSLServerSocket can have only one of three states with regards to requesting client authentication: 1. don't request it (the default), 2. request it (set via setWantClientAuth) but if not supplied then that's okay, or 3. require it (set via setNeedClientAuth). So if you were to call both methods, then only the latter takes effect. Jetty is calling both (first the "need", then "want" method). The result is that it is impossible to need client authentication. I think Jetty should do the following:

      Store the needClientAuth and wantClientAuth values internally as Boolean objects (so that they can be null).
      In newServerSocket, check to see if both are non-null and if so throw some sort of configuration error.
      Only call either of the set methods if their respective field is non-null.

      I'd rather Jetty do this, which is essentially just facilitating configuration of the SSL APIs, rather than logical reasoning of need vs want, trying to figure out what is intended. Now it does neither, it is broken.

        Activity

        Hide
        David Smiley added a comment -

        One more thing... to observe I am right about this bug, simply debug Jetty setting the breakpoint to after both the set's are called. Configure Jetty to need client auth (and optionally set want client auth but it doesn't matter)... and evaluate "socket.getNeedClientAuth()" is false, no matter what you do. (I can do this easily with IntelliJ IDEA, perhaps you can dynamically invoke ad-hoc expressions during debugging with other IDEs.)

        Show
        David Smiley added a comment - One more thing... to observe I am right about this bug, simply debug Jetty setting the breakpoint to after both the set's are called. Configure Jetty to need client auth (and optionally set want client auth but it doesn't matter)... and evaluate "socket.getNeedClientAuth()" is false, no matter what you do. (I can do this easily with IntelliJ IDEA, perhaps you can dynamically invoke ad-hoc expressions during debugging with other IDEs.)
        Hide
        Greg Wilkins added a comment -

        Nik,
        This has already been fixed in Jetty 5 (I think), so we should just need to move the same logic over to jetty 6

        Show
        Greg Wilkins added a comment - Nik, This has already been fixed in Jetty 5 (I think), so we should just need to move the same logic over to jetty 6
        Hide
        Greg Wilkins added a comment -

        Fix from nik applied and committed

        Show
        Greg Wilkins added a comment - Fix from nik applied and committed

          People

          • Assignee:
            nik gonzalez
            Reporter:
            David Smiley
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: